Powershell module can't find subscription when a bicep kicks it off

I am using a bicep to call a powershell script. The bicep script makes a call to Set-AzCognitiveServicesAccount.

It works as expected when I call the script from the command line. When I start the bicep from the command line, and it calls the script, I get this error:

No subscription found in the context.  Please ensure that the credentials you provided are authorized to access an Azure subscription, then run Connect-AzAccount to login

I have logged in from the command line using Connect-AzAccount. Why would it behave differently when the bicep kicks it off?

This is the PowerShell script:

param(
    [string] $resourceGroup,
    [string] $resourceName
)


Write-Output "Disable public network access on language $resourceName"

$result = Set-AzCognitiveServicesAccount -Name $resourceName -ResourceGroupName $resourceGroup -PublicNetworkAccess "Disabled" 

Write-Output "Result is $($result.ProvisioningState)"

Here is the relvant portion of my bicep:

var scriptArgumentsEndpoint = {
  resourceName: language.name
  resourceGroup: resourceGroup().name
}

var scriptContentEndpoint = loadTextContent('./disablePublicAccess.ps1')

resource scriptEndpoint 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
  name: 'DisableendpointScript'
  location: location
  kind: 'AzurePowerShell'
  properties: {
    azPowerShellVersion: '10.1'
    retentionInterval: 'PT1H'
    scriptContent: scriptContentEndpoint
    arguments: join(map(items(scriptArgumentsEndpoint), arg => '-${arg.key} ${arg.value}'), ' ')
  }
}

There is a reason I am not disabling pulicNetworkAccess from the bicep. I have another post about that.

Powershell module can't find subscription when a bicep kicks it off

I do agree with Thomos for suggesting same point.

If you are deploying a deployment script in Bicep with API version 2020-10-01, it may require an Identity to authenticate Azure resources or the use of Connect-AzAccount inside the script. Follow the MS DOC on Developing a deployment script in Bicep.

Here is the updated Bicep script to deploy a deployment script in Bicep using the identity method.

Note: Make sure to assign the required role to identity to perform the action.

var scriptArgumentsEndpoint = {
  resourceGroup: resourceGroup().name
}

var scriptContentEndpoint = loadTextContent('./disablePublicAccess.ps1')

resource scriptEndpoint 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
  name: 'DisableendpointScript'
  location: resourceGroup().location
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '/subscriptions/<SUB_ID>/resourceGroups/Venkat-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Venkat-UAM': {}
    }
  }
  kind: 'AzurePowerShell'
  properties: {
    azPowerShellVersion: '10.1'
    retentionInterval: 'PT1H'
    scriptContent: scriptContentEndpoint
    arguments: join(map(items(scriptArgumentsEndpoint), arg => '-${arg.key} ${arg.value}'), ' ')
  }
}

Output:

New-AzResourceGroupDeployment -ResourceGroupName "Automation_RG" -TemplateFile "COngitive.bicep"

After executing the script, public access has been disabled.

Refer: Follow the MS DOC to use identity in Bicep.